1.1Terminology

We start by defining some common terms that are used in this document and throughout the related documents listed in the preface.

Some industry standards, such as SAML, are included for their relevance to later discussion. The list is not intended to be comprehensive.

Application Life cycle

An application can be provided by Oracle or by a third-party vendor, or it can be developed in-house. In all cases, applications are designed to run in an application server environment and to take advantage of Oracle Fusion Middleware features and capabilities.

The typical life cycle of an application includes these phases:

development

deployment

Migration (Test to Production)

Upgrade (for example, from Release 10.1.x to Release 11g)

ongoing maintenance tasks (for example, patching) in a production environment.

Security is an integral part of the application life cycle, although the scope and implementation details may vary.

For example, at development time user credentials can simply be stored in a file, whereas a deployed application is generally secured with an identity management solution using an LDAP directory at the back-end.

Audit

Auditing is a process that measures accountability. In the Identity and Access Management space, auditing provides reports and the data that shows who accessed what resources and when.

Authentication

Authentication verifies that the user is who she claims to be. A user's identity is verified through the credentials presented by that user, such as:

something one has, for example, credentials issued by a trusted authority such as a passport (real world) or a smart card (IT world),

something one knows, for example a shared secret such as a password,

something one is, for example, biometric information

A combination of several types of credentials is referred to as "strong" authentication; an example is the use of an ATM card (something one has) with a PIN or password (something one knows).

Authorization

Also known as access control, authorization is designed to grant access to specific resources based on an authenticated user's entitlements. Entitlements are defined by one or several attributes. An attribute is the property, characteristic, or role of a user; for example, if "Raj" is the user, "software engineer" is the attribute (or role).

Authorization is based on the enforcement of access policies; for example, if Raj is assigned the software engineer role, he can access specific application code.

Credential Store

A credential store is a service that you can use to store passwords to external applications and systems such as databases or LDAP directories.

In Oracle Fusion Middleware 11g Release 1 (11.1.1), the credential store is either file-based (Oracle wallet) or an LDAP-based repository for storing credentials such as passwords.

Development Phase

The development phase is the first stage in the life cycle of an application. During this phase, developers code the application logic and presentation layers.

Using Oracle Application Development Framework (Oracle ADF), developers can make use of Oracle ADF's built-in support for a range of security features.

The deployment phase is the second stage in the life cycle of an application. During this phase, administrators package the application and deploy it to the target environment (for example, an application server) to enable end user access.

In the deployment phase, administrators typically perform application role-to-enterprise group mappings. For more information, see

The infrastructure refers to the full range of system software required to deploy an application. Infrastructure hardening is the process of applying security to each component of the infrastructure, including web servers, application servers, identity and access management solutions, and database systems. Infrastructure hardening is the basis for end-to-end security across the multiple infrastructure components involved in a transaction.

Note:

In the context of securing Oracle WebLogic Server, this task is referred to as "lockdown." However, in the broader context of Oracle Fusion Middleware, it is referred to as infrastructure hardening.

Oracle Application Development Framework (Oracle ADF) is an innovative, comprehensive Java EE development framework that is directly supported and enabled by the Oracle JDeveloper 11g development environment.

Oracle ADF simplifies Java EE development by minimizing the code that implements the application's infrastructure, allowing the users to focus on the features of the actual application. Oracle ADF provides these infrastructure implementations as part of the framework. To recognize a set of run-time services is not enough, Oracle ADF is also focused on the development experience to provide a visual and declarative approach to Java EE development through the Oracle JDeveloper 11g development tool.

Formerly SUN Directory Server Enterprise Edition, Oracle Directory Server Enterprise Edition is the best known directory server with proven large deployments in carrier and enterprise environments. It is also the most supported directory by ISVs, so it is ideal for heterogeneous environments. ODSEE provides a core directory service with embedded database, directory proxy, Active Directory (AD) synchronization and a Web administration console.

Oracle Entitlements Server secures access to application resources and software components (such as URLs, EJBs, and JSPs) and to arbitrary business objects (such as customer accounts or patient records). Oracle Entitlements Server policies specify which users, groups, and roles can access application resources, allowing those roles to be dynamically resolved at run-time.

Oracle Entitlements Server can also evaluate specialized attributes to make more granular access control decisions through a unique, flexible architecture called Security Modules. The server's standalone administration service manages and distributes complex entitlements policies to policy decision and enforcement points. Security modules may run in a centralized mode or they can be embedded within an application, ensuring maximum flexibility and high performance authorizations for business critical applications.

Oracle Identity Federation is an industry-leading federation solution providing a self-contained and flexible multi-protocol federation server that can be rapidly deployed with your existing identity and access management systems. Support for leading standards-based protocols ensures interoperability to share identities across vendors, customers, and business partners without the increased costs of managing, maintaining, and administering additional identities and credentials.

Oracle Identity Manager

Oracle Identity Manager is a best-in-class user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories; and improves regulatory compliance by providing granular reports and attestation support to report and certify user access.

Oracle Internet Directory

Oracle Internet Directory is an LDAP v3 compliant directory with meta-directory capabilities. It is built on the industry leading Oracle database and is fully integrated into Oracle Fusion Middleware and Oracle Applications. Thus, it is ideally suited for Oracle environments or enterprises with Oracle database expertise.

Oracle Internet Directory provides security at every level from data in transit to storage and backups. In addition to LDAP security, it leverages Oracle database security features like Database Vault and Transparent Data Encryption. Database Vault enables separation of duty (SOD) while Transparent Data Encryption secures data in storage and backup.

OPSS provides an abstraction layer in the form of standards-based application programming interfaces (APIs) that insulate developers from security and identity management implementation details. In-house developed applications, third-party applications, and integrated applications all benefit from the same uniform security, identity management, and audit services across the enterprise.

When they leverage OPSS, developers do not have to know the details of cryptographic key management or interfaces with user repositories and other identity management infrastructures.

Oracle Security Token Service

Oracle Security Token Service brokers trust between a Web Service Consumer (WSC) and a Web Service Provider (WSP) and provides security token lifecycle management services to providers and consumers.

Oracle Virtual Directory provides identity aggregation and virtualization without synchronization. It is not LDAP storage, but rather, a virtualization service. Key features include a single interface for identity, an LDAP interface for non-LDAP data including databases and Web services, data transformation features, and application-specific views of data.

For customers who also need directory storage, Oracle Virtual Directory shares a unified administration and management system with Oracle Internet Directory.

Oracle Web Services Manager

Oracle Web Services Manager is a comprehensive solution for adding policy-driven best practices to all your existing or new Web services and provides the key security and management capabilities necessary to deploy Service-Oriented Architectures across your line-of-business applications.

Oracle Web Services Manager collects monitoring statistics to ensure quality of service, uptime, and security threats and displays them in a Web dashboard.

Oracle Wallet

An Oracle wallet is a container that stores credentials such as certificates, trusted certificates, certificate requests, and private keys. You can store Oracle wallets on the file system or in LDAP directories such as Oracle Internet Directory. Oracle wallets can be auto-login or password-protected wallets.

You use an Oracle wallet for the following components:

Oracle HTTP Server

Oracle Web Cache

Oracle Internet Directory

Partner Applications

A partner application is an Oracle Application Server-based application or a non-Oracle application that delegates the authentication function to the OracleAS SSO (OSSO) server. A partner application is responsible for determining whether a user authenticated by OSSO is authorized to use the application. Examples of partner applications include Oracle Portal, Oracle Discoverer, and Oracle Delegated Administration Services.

Security Assertions Markup Language (SAML) is an XML-based framework for exchanging security information over the Internet. SAML enables the exchange of authentication and authorization information between various security services systems that otherwise would not be able to interoperate.

Single Sign-On

Single sign-on enables a user to authenticate once and gain access to several applications without the need to re-authenticate.

System Component

A system component is a manageable process that is not Oracle WebLogic Server. Examples include Oracle HTTP Server and Oracle Internet Directory.

Web Services Security

Web services security includes authentication and authorization (described above), confidentiality and privacy (keeping information secret), and integrity / non repudiation (making sure that a message remains unaltered during transit by having an authority digitally sign that message; a digital signature also validates the sender and provides a time stamp ensuring that a transaction cannot be later repudiated by either the sender or the receiver). Web services security requirements are supported by industry standards both at the transport level (Secure Socket Layer) and at the application level relying on XML frameworks, for example XML encryption, XML signature, and Security Assertion Markup Language (SAML).

eXtensible Access Control Markup Language (XACML)

XACML is a declarative standard for languages that specify both access control policy and access control request/response requirements.

1.2 Scope of Security in Oracle Fusion Middleware

By Oracle Fusion Middleware security, we mean the full range of security options available to applications throughout their life cycle in 11g Release 1 (11.1.1). At the outset it is important to note that, beginning with this release, Oracle WebLogic Server is the application server for Oracle Fusion Middleware. Existing users can continue to use the security facilities provided by Oracle WebLogic Server, using the same configuration tools as before.

The data tier is the repository for LDAP directories and databases, such as Oracle Internet Directory, Oracle Virtual Directory, and Oracle Database.

The following diagram is a high-level overview of the major elements of security in Oracle Fusion Middleware:

Figure 1-2 Security in Oracle Fusion Middleware

This figure shows the elements of security in Oracle Fusion Middleware: the Web tier on the left contains load balancers and other components outside the firewall; the middle tier hosts Oracle WebLogic Server and its applications; and on the right, the Data tier contains databases and directories. Different administration tools are shown at the top of the figure.

Key elements of this architecture are as follows:

Fusion Middleware Control, GUI-based administration tool for Oracle Fusion Middleware. You use Fusion Middleware Control to configure, manage and monitor components and applications, and to implement security for these components:

Oracle HTTP Server

Oracle Web Cache

Oracle Internet Directory

Oracle Virtual Directory

Oracle WebLogic Server is the application server for Oracle Fusion Middleware components such as Oracle SOA Suite, Oracle Identity Management, Oracle WebCenter, and applications developed by customers, system integrators, and third-party vendors.

The vertical broken lines represent firewalls

The circles represents listeners that can be SSL-enabled for secure communication

Fusion Middleware Control enables you to configure Oracle applications running on the server, and to leverage security features that rely on the OPSS APIs.

The Oracle WebLogic Scripting Tool (WLST) is a command-line scripting environment that you can use to create, manage, and monitor WebLogic Server domains, and administer Oracle Fusion Middleware security features

Oracle Business Intelligence Publisher enables you to view audit reports

Scripting on this page enhances content navigation, but does not change the content in any way.